Re: [Cfrg] AES-GCM-SIV security of the additional data
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Fri, 24 June 2016 13:58 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7048412B009 for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 06:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIn3VmJ4wdWg for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 06:58:55 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0625.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::625]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E7AF12DA84 for <cfrg@ietf.org>; Fri, 24 Jun 2016 06:58:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Q3gYg2CkVIYnC0uXGVgRs0zxWnapZthTDK6IiDiBAD0=; b=XepDH/jsQCSqYTtKDb8sPU5OxFHyv3mmWtstrgj84czUNujJW0yuWzsP1iQftpJUQx4qdVz+vh60S735ZhjSYeQbiNHllxXNo00XNWWCenQksi1q5g/9duk46VbLYZYpgxforjCf484ximTiWKhigrIo4nJyhh1E0ze1tQCgg4Y=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1821.eurprd03.prod.outlook.com (10.166.42.147) with Microsoft SMTP Server (TLS) id 15.1.523.12; Fri, 24 Jun 2016 13:53:48 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0523.019; Fri, 24 Jun 2016 13:53:46 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Antonio Sanso <asanso@adobe.com>
Thread-Topic: [Cfrg] AES-GCM-SIV security of the additional data
Thread-Index: AQHRzgyMNFkKTSqpJkGxUgqboNSngJ/4rLoA///zIICAABUPgA==
Date: Fri, 24 Jun 2016 13:53:46 +0000
Message-ID: <D392F7AA.6EF93%kenny.paterson@rhul.ac.uk>
References: <CAPqF7e0QsCPn_OSKEry60Hm9F2BDU6DNG6Yc2NU=ocyCU2mwFg@mail.gmail.com> <D392EEF2.6EF40%kenny.paterson@rhul.ac.uk> <A9961C08-798F-4871-96D6-5B1A989A9FDE@adobe.com>
In-Reply-To: <A9961C08-798F-4871-96D6-5B1A989A9FDE@adobe.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [78.146.50.187]
x-ms-office365-filtering-correlation-id: 1057460d-80e1-4f4d-5161-08d39c36f684
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1821; 6:uZBMhHiUHEtlDb/1cdig+Jj3RNLd/XbdzyA9gKlp+R3r85pJ9BgmM13IoGEhDIbzajG/L9SejGrl+5gz8a949w2LhkGdlA4ZiBewgA3d+IC7uaeF96rOat1CCfJNvQQ6k+vfp0yRJ5eEGKG0mSoceOWzx2gURnCNvDTy1gVVOqY3dHkrlXUc/ks27uEE60MDBeTfdA1fqBdsMOrWyz68wt0mfGOfr4ras0Hi5Ghg11jCXR7ZNoKwZkq7N7VVK3ocLWA/NA2xezHZIv7bP6bQno6dzKQ7puXi41zj0LkQmboQ5Nxuujc8RtgJ2pW27J6E; 5:1Qf1OVhqZKcy38b3R3HFEHF2gJr9/QHCygGXnPirpBqQzX/P8QI/sp7gGKg6YYO47Rqfq+CVd8kUAE8Fqq1ln7Nj1ou2kr5kbQlUBEIbIcWPYy1NqCdz3mFoWJoTUO5/uGAxkcucW576XPOWRWb+bQ==; 24:wvOySpa/Dv5QnyIDQ37TXSyqDz4T2lQp5xjx8l+nhYW2PVy5a3ZiF6FjeQs7cojn/cIL6+rHLV1Fwo58phv7FriSVlda13EITPZT4Vw10DY=; 7:L3yJA0og5i6slJLRb1wFFclWx5D2uBJE2dQ9YkXJzhGWNzuwDgs8mqmURcwGyE4+iuHNSuDDudcslvdi0J8DzptcXf9WgLtzLoyWiKFAV60uSwJ/5aGRPHRkUpFzI6WmGmxxrhl7kdtPGZimhXxGqnghrdwDdGJSPPOINmfdZRhBhGEKrEZeRQdazBZ+CE/alI9AMjxpgBmVPZwhL7W7gbVIcPRyVpAwc0+o3Khd3xRo04yCqMw2wHLdXokSOwWPsGAfwQJsY2NNlMx9ox0VoQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1821;
x-microsoft-antispam-prvs: <VI1PR03MB1821BAB1161B75F1F9CC24B2BC2E0@VI1PR03MB1821.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:VI1PR03MB1821; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1821;
x-forefront-prvs: 0983EAD6B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(24454002)(377454003)(199003)(189002)(77096005)(19580395003)(87936001)(92566002)(15975445007)(97736004)(54356999)(68196006)(4001350100001)(10400500002)(2906002)(19580405001)(110136002)(122556002)(36756003)(7846002)(3846002)(561944003)(102836003)(6116002)(586003)(305945005)(7736002)(15650500001)(81156014)(68736007)(81166006)(3280700002)(106116001)(3660700001)(106356001)(105586002)(2950100001)(230783001)(5002640100001)(76176999)(4326007)(8936002)(101416001)(50986999)(83506001)(2900100001)(86362001)(8676002)(189998001)(66066001)(74482002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1821; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <9AD84EDFA47DA044916A1434D8F3D41A@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2016 13:53:46.6074 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1821
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_5Iiz1Eto3Hza52W66DcIJPlmKg>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 13:58:58 -0000
Hi Antonio, On 24/06/2016 14:40, "Antonio Sanso" <asanso@adobe.com> wrote: >hi Kenny > >On Jun 24, 2016, at 3:24 PM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> >wrote: > >> >> In your scenario it looks like you are trying to use the shared secret S >> to provide authentication of the sender to the receiver, along with >> confidentiality for the message being delivered > >to me this seems a pretty common scenario. >If I am not completely wrong in my understanding is for example what JWE >does [0] and [1] for example > >regards > >antonio > >[0] https://tools.ietf.org/html/rfc7516#page-32 >[1] https://tools.ietf.org/html/rfc7516#page-36 Key transport via PKE using, for example RSA-OAEP, is a certainly an option in JWE. But what Daniel describes has an additional symmetric key ("S") for the purposes of authentication, I think, and does not strictly match anything I've seen in the JSON RFCs. But let's allow Daniel to answer on that one... Cheers Kenny > >> . In this scenario, it's >> not clear to me why the sender and receiver would not just use S as an >> AES-GCM-SIV key to transport a session key K, and then use K in another >> instance of AES-GCM-SIV to transport the desired messages. Of course, >>this >> construction would not prevent replay attacks; for that you'd need >> additional mechanisms, like incorporating a counter into the AD of the >> key-transporting AEAD. >> >> But perhaps one should not underestimate the ingenuity of implementers >>in >> wanting to use public key encryption. Is this where you are coming from? >> >> On a related point, my view is that it is a disbenefit that the >> AES-GCM-SIV proposal has two separate keys (one for encryption, the >>other >> for authentication) as inputs. That's not the AEAD interface that we >>have >> raised our implementers on. I raised this point at the CFRG meeting in >> Vienna back in May. Simply concatenating the two keys in the current >> proposal into one would address this issue, but not the one you raise >>(if >> I understand it correctly). >> >> (The minutes of the meeting can be found here: >> >>https://www.ietf.org/proceedings/interim-2016-cfrg-01/minutes/minutes-int >>er >> im-2016-cfrg-1) >> >> Regards >> >> Kenny >> >> >> On 24/06/2016 12:35, "Cfrg on behalf of Daniel Bleichenbacher" >> <cfrg-bounces@irtf.org on behalf of bleichen@google.com> wrote: >> >>> I'm wondering what can or should be expected about the security of the >>> additional data. >>> >>> >>> In particular, I'm considering the following scenario: >>> >>> >>> Sender and receiver share a secret S. >>> The sender knows the public key of the receiver and the receiver of >>> course knows the private key. >>> They use a hybrid encryption as follows: >>> >>> >>> The sender chooses a new AES-GCM-SIV key, encrypts his message >>> and includes S as additional data. The AES-GCM-SIV key is wrapped with >>> the receivers public key and the wrapped key and ciphertext are sent to >>> the receiver. >>> >>> >>> Here an attacker can use that AES-GCM-SIV allows to select a key such >>> that the >>> element H used for POLYVAL is 0. In this case it would not be necessary >>> for the sender >>> to know S to construct a ciphertext that validates. >>> A similar attack using AES-GCM seems much harder since the value H for >>> the GHASH >>> is obtained by encrypting 0 and thus I'm not aware of a way to do the >>> same thing here. >>> >>> >>> The attack does of course not violate any of the guarantees claimed. >>> However, in the industry lots of ad hoc protocols are designed without >>> proper security reductions and hence it seems a bit scary to me to >>>allow >>> this kind of "weak" keys. And since abuse resistance is >>> one of the goals it might be a good idea to avoid such type of abuses. >>> >>> >>> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Adam Langley
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Aaron Zauner
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Aaron Zauner
- Re: [Cfrg] AES-GCM-SIV security of the additional… Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-GCM-SIV security of the additional… Jim Schaad
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- [Cfrg] AES-GCM-SIV with a new key hierarchy Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Antonio Sanso
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- [Cfrg] AES-GCM-SIV security of the additional data Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV security of the additional… Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Dan Harkins
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Shay Gueron